How to Verify the Digital Signature of Venafi Installation Files

Venafi digitally signs its installation files (e.g. Microsoft MSI and Linux RPM) to prevent tampering. Digitally signed install files provide a secure method for customers to verify that the software they install is from Venafi and that it has not been modified by another party.

Digital signatures are based on digital certificates and help to establish the following security measures:

Authenticity

Integrity

Non-repudiation

IMPORTANT! Before installing any software from Venafi, always check the signature of the installation files before running the installer.

To verify installation files on supported platforms

On Windows:

Right-click on a Venafi MSI file and click Properties.

In the Properties dialog box, click the Digital Signatures tab.

From the Signature list, locate and click Venafi, Inc., and then click Details.

In the Digital Signature Details box, carefully review the signer information and certificate details to ensure that the certificate is authentic and belongs to Venafi, Inc.

On Linux:

You can verify the digital signature of an extracted RPM file using one or more of the following commands. They are listed in order of a simpler to a more complex verification.

To quickly verify that the RPM file you extracted from a Venafi tarball, run the following command; this simply lets you know that the RPM file was signed but does not provide the level of detail offered by the other commands listed below.

rpm -qip venafi-agent-17.4.0-linux-i386.rpm

If you want to perform a more thorough verification of an RPM file from Venafi, then you must import the Venafi RPM signing public key into your RPM key database.

NOTE: Before running this command, you must first download the public key from the Venafi support site.

rpm --import rpm-gpg-key-venafi.pub

To perform a general signature verification showing that an RPM came from a tarball downloaded from the Venafi FTP site, use the following command.

NOTE: You must run the previous command first (rpm --import) so that the public key is already imported into your RPM key database.

tar zxvf venafi-agent-17.4.0-linux-x86_64.rpm.tar.gz

rpm --import rpm-gpg-key-venafi.pub

rpm --checksig venafi-agent-17.4.0-linux-i386.rpm

venafi-agent-17.4.0-linux-i386.rpm: rsa sha1 (md5) pgp md5 OK

To perform the most thorough verification, run the following command.

NOTE: As with the previous command, you must run the rpm --import command first so that the public key is already imported into your RPM key database.